APPLICATION NOTE

Using the DirectControl Kerberos Utilities

Kerberos-enabled services, utilities and development components

Centrify DirectControl uses Kerberos technology to authenticate UNIX sessions with Active Directory credentials. One of the advantages of using Kerberos is that it enables applications and many common network utilities to be used without having to re-enter user and password information. Since Kerberos is built into DirectControl, it is possible to use standard Kerberos utilities to leverage secure, authenticated, ticket-based single sign-on sessions.

Centrify has compiled an optional package that includes Kerberos-based development components as well as Kerberized utilities and services. These are based on the latest Kerberos distribution from MIT, and the utilities can be used with the standard DirectControl product. The Application Note describes how to install, configure and use the components included with the Centrify DirectControl Kerberos Utilities package. Customers and those evaluating DirectControl can download these utilities from the Centrify Download Center. See below for more insight into how the Kerberos utilities work and what you can do with them.

Centrify's unique Support for Open Source Software plan provides the same benefits as product support, including guaranteed service levels and other benefits.

About the DirectControl Kerberos Utilities

Centrify has made a number of enhancements to the Kerberos environment that make deployment of Kerberos applications simpler. Some of these enhancements include:

Automated setup of Kerberos. When you join a UNIX, Linux or Mac computer to an Active Directory domain using DirectControl, the setup of all Kerberos-related system configuration files is automatically done for you. For example, the file /etc/krb5.conf is configured correctly to use the Active Directory domain controller as the Kerberos key distribution center. Having these configuration files automatically set up for you means that Kerberized UNIX applications will "just work" using Active Directory as the Kerberos authority.

Removing the need for .k5login. Normally a Kerberized login-type application such as ssh, telnet or rsh requires a .k5login file on the target system. The creation of these files can become a significant administrative burden. Centrify removes the need for this file in almost all cases. See the Application Note for a detailed explanation of when a .k5login file is needed.

Remove the need for host-to-realm mapping. If you have disjoint DNS and Active Directory domain names, then you normally need host-to-realm name mappings in the Kerberos configuration file. The maintenance of these entries can be a significant administrative overhead. Centrify's Kerberos implementation removes the need for these entries.

Secure canonicalization. In many cases Kerberos needs to convert a partial host name to a fully qualified name that includes its realm name. This process is called canonicalization. For example, the host name in the command:

telnet –a system1

will actually be interpreted as system1.centrify.com@CENTRIFY.COM if the system is part of the CENTRIFY.COM realm. MIT's Kerberos distribution uses a combination of DNS and host-to-realm mappings to achieve this translation. The use of DNS is inherently insecure, and RFC 1510 (the main Kerberos standard) specifically recommends against using it but does not offer an alternative. DirectControl implements a more secure mechanism that uses Active Directory's knowledge of the domain and does not rely on DNS.

Supported Platforms